networknt · stevehu · Dec 15, 2022 · Dec 15, 2022
diff --git a/client/src/integration/java/com/networknt/client/Http2ClientIT.java b/client/src/integration/java/com/networknt/client/Http2ClientIT.java
@@ -868,11 +868,7 @@ private static SSLContext createSSLContext(final KeyStore keyStore, final KeySto
 
         SSLContext sslContext;
         try {
-            if(!client) {
-                sslContext = SSLContext.getInstance("TLS");
-            } else {
-                sslContext = SSLContext.getInstance("TLS");
-            }
+            sslContext = SSLContext.getInstance("TLSv1.2");
             sslContext.init(keyManagers, trustManagers, null);
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
             throw new IOException("Unable to create and initialise the SSLContext", e);

diff --git a/client/src/integration/java/com/networknt/client/Http2ClientPoolIT.java b/client/src/integration/java/com/networknt/client/Http2ClientPoolIT.java
@@ -681,11 +681,7 @@ private static SSLContext createSSLContext(final KeyStore keyStore, final KeySto
 
         SSLContext sslContext;
         try {
-            if(!client) {
-                sslContext = SSLContext.getInstance("TLS");
-            } else {
-                sslContext = SSLContext.getInstance("TLS");
-            }
+            sslContext = SSLContext.getInstance("TLSv1.2");
             sslContext.init(keyManagers, trustManagers, null);
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
             throw new IOException("Unable to create and initialise the SSLContext", e);

diff --git a/client/src/main/java/com/networknt/client/Http2Client.java b/client/src/main/java/com/networknt/client/Http2Client.java
@@ -109,6 +109,7 @@ public class Http2Client {
     static final String KEY_STORE = "keyStore";
     static final String KEY_STORE_PASS = "keyStorePass";
     static final String KEY_PASS = "keyPass";
+    static final String TLS_VERSION = "tlsVersion";
     static final String KEY_STORE_PROPERTY = "javax.net.ssl.keyStore";
     static final String KEY_STORE_PASSWORD_PROPERTY = "javax.net.ssl.keyStorePassword";
     static final String TRUST_STORE_PROPERTY = "javax.net.ssl.trustStore";
@@ -697,7 +698,9 @@ public static SSLContext createSSLContext(String trustedNamesGroupKey) throws IO
             }
 
             try {
-                sslContext = SSLContext.getInstance("TLS");
+                String tlsVersion = (String)tlsMap.get(TLS_VERSION);
+                if(tlsVersion == null) tlsVersion = "TLSv1.2";
+                sslContext = SSLContext.getInstance(tlsVersion);
                 sslContext.init(keyManagers, trustManagers, null);
             } catch (NoSuchAlgorithmException | KeyManagementException e) {
                 throw new IOException("Unable to create and initialise the SSLContext", e);

diff --git a/client/src/main/resources/config/client.yml b/client/src/main/resources/config/client.yml
@@ -27,6 +27,9 @@ tls:
   keyStorePass: ${client.keyStorePass:password}
   # private key password
   keyPass: ${client.keyPass:password}
+  # TLS version. Default is TSLv1.2, and you can downgrade to TLSv1 to support some internal old servers that support only TLSv1.1(deprecated
+  # and risky). You can also upgrade to TSLv1.3 for maximum security if all your servers support it.
+  tlsVersion: ${client.tlsVersion:TLSv1.2}
 # settings for OAuth2 server communication
 oauth:
   # OAuth 2.0 token endpoint configuration

diff --git a/client/src/test/java/com/networknt/client/Http2ClientBase.java b/client/src/test/java/com/networknt/client/Http2ClientBase.java
@@ -69,11 +69,7 @@ protected static SSLContext createSSLContext(final KeyStore keyStore, final KeyS
 
         SSLContext sslContext;
         try {
-            if(!client) {
-                sslContext = SSLContext.getInstance("TLS");
-            } else {
-                sslContext = SSLContext.getInstance("TLS");
-            }
+            sslContext = SSLContext.getInstance("TLSv1.2");
             sslContext.init(keyManagers, trustManagers, null);
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
             throw new IOException("Unable to create and initialise the SSLContext", e);

diff --git a/client/src/test/java/com/networknt/client/Http2ClientPoolTest.java b/client/src/test/java/com/networknt/client/Http2ClientPoolTest.java
@@ -422,11 +422,7 @@ private static SSLContext createSSLContext(final KeyStore keyStore, final KeySto
 
         SSLContext sslContext;
         try {
-            if(!client) {
-                sslContext = SSLContext.getInstance("TLS");
-            } else {
-                sslContext = SSLContext.getInstance("TLS");
-            }
+            sslContext = SSLContext.getInstance("TLSv1.2");
             sslContext.init(keyManagers, trustManagers, null);
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
             throw new IOException("Unable to create and initialise the SSLContext", e);
@@ -613,7 +609,7 @@ private static SSLContext createTestSSLContext(boolean verifyHostName, String tr
             }
 
             try {
-                sslContext = SSLContext.getInstance("TLS");
+                sslContext = SSLContext.getInstance("TLSv1.2");
                 sslContext.init(keyManagers, trustManagers, null);
 
             } catch (NoSuchAlgorithmException | KeyManagementException e) {

diff --git a/client/src/test/java/com/networknt/client/Http2ClientTest.java b/client/src/test/java/com/networknt/client/Http2ClientTest.java
@@ -69,6 +69,7 @@
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.regex.Pattern;
 
+import static com.networknt.client.Http2Client.TLS_VERSION;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
@@ -873,7 +874,7 @@ private static SSLContext createTestSSLContext(boolean verifyHostName, String tr
             }
 
             try {
-                sslContext = SSLContext.getInstance("TLS");
+                sslContext = SSLContext.getInstance((String)tlsMap.get(TLS_VERSION));
                 sslContext.init(keyManagers, trustManagers, null);
 
             } catch (NoSuchAlgorithmException | KeyManagementException e) {

diff --git a/client/src/test/java/com/networknt/client/rest/RestClientTemplateTest.java b/client/src/test/java/com/networknt/client/rest/RestClientTemplateTest.java
@@ -181,11 +181,7 @@ private static SSLContext createSSLContext(final KeyStore keyStore, final KeySto
 
         SSLContext sslContext;
         try {
-            if(!client) {
-                sslContext = SSLContext.getInstance("TLS");
-            } else {
-                sslContext = SSLContext.getInstance("TLS");
-            }
+            sslContext = SSLContext.getInstance("TLSv1.2");
             sslContext.init(keyManagers, trustManagers, null);
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
             throw new IOException("Unable to create and initialise the SSLContext", e);

diff --git a/client/src/test/resources/config/client-multiple.yml b/client/src/test/resources/config/client-multiple.yml
@@ -27,6 +27,9 @@ tls:
   keyStorePass: ${client.keyStorePass:password}
   # private key password
   keyPass: ${client.keyPass:password}
+  # TLS version. Default is TSLv1.2, and you can downgrade to TLSv1 to support some internal old servers that support only TLSv1.1(deprecated
+  # and risky). You can also upgrade to TSLv1.3 for maximum security if all your servers support it.
+  tlsVersion: ${client.tlsVersion:TLSv1.2}
 # settings for OAuth2 server communication
 oauth:
   # OAuth 2.0 token endpoint configuration

diff --git a/client/src/test/resources/config/client-proxy.yml b/client/src/test/resources/config/client-proxy.yml
@@ -27,6 +27,9 @@ tls:
   keyStorePass: ${client.keyStorePass:password}
   # private key password
   keyPass: ${client.keyPass:password}
+  # TLS version. Default is TSLv1.2, and you can downgrade to TLSv1 to support some internal old servers that support only TLSv1.1(deprecated
+  # and risky). You can also upgrade to TSLv1.3 for maximum security if all your servers support it.
+  tlsVersion: ${client.tlsVersion:TLSv1.2}
 # settings for OAuth2 server communication
 oauth:
   # OAuth 2.0 token endpoint configuration

diff --git a/client/src/test/resources/config/client-single.yml b/client/src/test/resources/config/client-single.yml
@@ -27,6 +27,9 @@ tls:
   keyStorePass: ${client.keyStorePass:password}
   # private key password
   keyPass: ${client.keyPass:password}
+  # TLS version. Default is TSLv1.2, and you can downgrade to TLSv1 to support some internal old servers that support only TLSv1.1(deprecated
+  # and risky). You can also upgrade to TSLv1.3 for maximum security if all your servers support it.
+  tlsVersion: ${client.tlsVersion:TLSv1.2}
 # settings for OAuth2 server communication
 oauth:
   # OAuth 2.0 token endpoint configuration

diff --git a/client/src/test/resources/config/client.yml b/client/src/test/resources/config/client.yml
@@ -27,6 +27,9 @@ tls:
   keyStorePass: password
   # private key password
   keyPass: password
+  # TLS version. Default is TSLv1.2, and you can downgrade to TLSv1 to support some internal old servers that support only TLSv1.1(deprecated
+  # and risky). You can also upgrade to TSLv1.3 for maximum security if all your servers support it.
+  tlsVersion: ${client.tlsVersion:TLSv1.2}
 # settings for OAuth2 server communication
 oauth:
   # OAuth 2.0 token endpoint configuration

diff --git a/ingress-proxy/src/main/java/com/networknt/proxy/mras/MrasHandler.java b/ingress-proxy/src/main/java/com/networknt/proxy/mras/MrasHandler.java
@@ -490,7 +490,7 @@ private SSLContext createSSLContext() throws IOException {
         }
 
         try {
-            sslContext = SSLContext.getInstance("TLS");
+            sslContext = SSLContext.getInstance("TLSv1.2");
             sslContext.init(keyManagers, trustManagers, null);
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
             logger.error("Exception:", e);

diff --git a/security/src/test/java/com/networknt/security/JwtVerifierJwkBase.java b/security/src/test/java/com/networknt/security/JwtVerifierJwkBase.java
@@ -69,11 +69,7 @@ protected static SSLContext createSSLContext(final KeyStore keyStore, final KeyS
 
         SSLContext sslContext;
         try {
-            if(!client) {
-                sslContext = SSLContext.getInstance("TLS");
-            } else {
-                sslContext = SSLContext.getInstance("TLS");
-            }
+            sslContext = SSLContext.getInstance("TLSv1.2");
             sslContext.init(keyManagers, trustManagers, null);
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
             throw new IOException("Unable to create and initialise the SSLContext", e);

diff --git a/server/src/main/java/com/networknt/server/Server.java b/server/src/main/java/com/networknt/server/Server.java
@@ -468,7 +468,7 @@ private static SSLContext createSSLContext() throws RuntimeException {
             }
 
             SSLContext sslContext;
-            sslContext = SSLContext.getInstance("TLSv1");
+            sslContext = SSLContext.getInstance("TLSv1.2");
             sslContext.init(keyManagers, trustManagers, null);
             return sslContext;
         } catch (Exception e) {